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IN THE UNITED STATES PATENT AND TRADEMARK OFFICE 

Applicant: Dan BUTNARU et al. , Art Unit : 

Serial No!: 09/889524 Examiner: 
Filed : July 18, 2001 

Title : METHOD FOR SECURE DOWNLOADING DATA BETWEEN SECURITY 
UNITS 

Assistant Commissioner for Patents 
Washington, DC 20231 

PRELIMINARY AMENDMENT 

Dear Sir: 

Before examining the referenced application on the merits, please amend the 
application as outlined below: 

IN THE CLAIMS 

Please amend the claims as outlined below. A marked-up version of the claims, 
illustrating the changes, is attached as Appendix A. 
Please cancel claim 1 . 
Please add the following claims: 

--20. (New) A method for customizing a set of several second security units, comprising: 
secure downloading of an application key from a first security unit of a central 
processing unit to said set of second security units, said first unit and second units 
each comprising at least one memory, wherein the method further comprises for 
each second unit in said set: 

on each downloading, computing an operation key in the first unit based on information 
specific to the second unit, a transport key, and a diversification algorithm, said 
transport key residing within the memory of the first security unit, said memory 
being non volatile; 

encrypting the application key in the first unit based on information comprising said 

operation key and an encryption algorithm; 

1 
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sending data comprising the encrypted application key to the second unit; 

on each downloading, computing an operation key in the second unit based on 
information specific to the second unit, the transport key and the diversification 
algorithm, the same transport key residing in the non-volatile memory of each 
second security unit of said set, said operation key not being stored within the 
memory of said second unit; and 

decrypting the encrypted application key in the second unit based on information 
comprising said operation key and a decryption algorithm which is the inverse of 
the encryption algorithm. 

21. (New) A method according to claim 3, further comprising: 

sending the random information, information pertaining to an application key and 
information specific to the second unit to the first unit by means of a first single 
command. 

22. (New) A method according to claim 4, further comprising: 

sending the random information, information pertaining to an application key and 
information specific to the second unit to the first unit by means of a first single 
command. 

23. (New) A method according to claim 2, further comprising: 

sending the encrypted application key and the information pertaining to an 
application key to the second unit by means of a single second command.-- 

Please amend the claims as follows: 

2. (Once Amended) A method according to claim 20, further comprising: 

sending information specific to the second unit to the first unit before computing 
the application key in the first unit. 

3. (Once Amended) A method according to claim 20, further comprising: 

sending a random number provided by the second unit to the first unit, before 
encrypting the application key in the first unit. 

4. (Once Amended) A method according to claim 20, further comprising: 
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sending information pertaining to an application key to the first unit, before 
encrypting the application key within, said first unit. 

5. <Once Amended) A method according to claim 4, further comprising: 

choosing the application key to be encrypted based on said information. 

6. (Once Amended) A method according to claim 20, wherein said encryption of an 

application key intended for a second unit is unique. 

7. (Once Amended) A method according to claim 20, further comprising: 

verifying integrity of the data includes the encrypted application key. 

8. (Once Amended) A method according to claim 20, further comprising: 

sending information pertaining to an application key to the second unit, before 
decrypting the encrypted application key within said second unit of said set. 

9. (Once Amended) A method according to claim 20, further comprising: 

storing within the second unit, after decrypting the encrypted application key, said 
key within said second unit. 

10. (Once Amended) A method according to claim 9, wherein storing of the application 

key within the second unit is done based on information pertaining to an 
application key. 

11. (Once Amended) A method according to claim 20, further comprising: 

verifying that the application key is authentic. 

12. (Once Amended) A method according to claim 20, wherein the first security unit 

comprises a smart card. 

13. (Once Amended) A method according to claim 20, wherein the memory comprises a 

rewritable memory. 

14. (Once Amended) A method according to claim 20, wherein a second unit comprises 

several application keys. 

15. (Once Amended) A method according to claim 20, wherein the first unit comprises 

several application keys. 

16. (Once Amended) A method according to claim 20, further comprising: 

after encrypting the application key, erasing the operation key temporarily saved 
within the second volatile memory of the first unit. 

17. (Once Amended) A method according to claim 20, further comprising: 
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after decrypting the application key, erasing the operation key temporarily saved 
-within a second volatile memory in the first unit. 

1 8. (Once Amended) A method according to claim 2, further comprising: 

sending the random information, information pertaining to an application key and 
information specific to the second unit to the first unit by means of a first single 
command. 

19. (Once Amended) A method according to claim 20, further comprising: 

sending the encrypted application key and the information pertaining to an 
application key to the second unit by means of a single second command. 



The amendments have been made in order to comply with the formal requirements of 
the USPTO. No new matter was introduced by such amendments, and no amendments were 
made for reasons relating to patentability. Favorable consideration of this application is 
respectfully requested. 



Please apply any charges not covered, or any credits, to Deposit Account 500-591 



Remarks 



(Reference No. 9669.004001). 



Respectfully submitted, 





Rosenthal & Osha LX.P. 
700 Louisiana, Suite 4550 
Houston, TX 77002 



Telephone: (713) 228-8600 
Facsimile: (713)228-8778 
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APPENDIX A - MARKED-UP VERSION OF THE CLAIMS 

• Newly added matter has been indicated by underline, while matter to be appears in 
brackets and boldface. 

2. (Once Amended) A method according to claim [1] 20, [characterized in that it 
further comprises an additional step of] further comprising : 

[-] sending information specific to the second unit [(EI)] to the first unit [(AS)] before 
computing the application key [(Tl)] in the first unit [(AS)]. 

3. (Once Amended) A method according to [claims 1 or 2] claim 20 , [characterized in 

that it further comprises an additional step of] further comprising : 

[-] sending a random number provided by the second unit [(EI)] to the first unit 

[(AS)], before encrypting the application key [(TA)] in the first unit [(AS)]. 

4. (Once Amended) A method [according to any of the preceding claims, 
characterized in that it further comprises an additional step of] according to 
claim 20. further comprising : 

[-] sending information pertaining to an application key [(TA)] to the first unit [(AS)], 
before encrypting the application key [(TA)] within said first unit [(AS)]. 

5. (Once Amended) A method according to claim 4, [characterized in that it further 

comprises an additional step of] further comprising : 

[-] choosing the application key [(TA)] to be encrypted based on said information. 

6. (Once Amended) A method [according to any of the preceding claims, 
characterized in that] according to claim 20. wherein said encryption of an 
application key [(TA)] intended for a second unit [(EI)] is unique. 



PATENT 

ATTORNEY DOCKET NO.: 09669.004001 

7. (Once Amended) A method [according to any of the preceding claims, 
characterized in that it further comprises and additional step of] according to 
claim 20. further comprising : 

[-] verifying integrity of the data [(DATA)] includes the encrypted application key 
[(TA)]. 

8. (Once Amended) A method [according to any of the preceding claims, 
characterized in that it further comprises an additional step of] according to 
claim 20. further comprising : 

[-] sending information pertaining to an application key [(TA)] to the second unit 
[(EI)], before decrypting the encrypted application key [(TA)] within said second unit 
[(EI)] of said set [(S)]. 

9. (Once Amended) A method [according to any of the preceding claims, 
characterized in that it further comprises an additional step of] according to 
claim 20. further comprising : 

[-] storing within the second unit [(EI)], after decrypting the encrypted application 
key [(TA)], said key [(TA)] within said second unit [(EI)]. 

10. (Once Amended) A method according to claim 9, [characterized in that] wherein 
storing of the application key [(TA)] within the second unit [(EI)] is done based on 
information pertaining to an application key [(TA)]. 

11. (Once Amended) A method [according to any of the preceding claims, 
characterized in that it further comprises an addition step of] according to claim 
20. further comprising : 

[-] verifying that the application key [(TA)] is authentic. 
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12. (Once Amended) A method [according to any of the preceding claims, 
characterized in that] according to claim 20. wherein t he first security unit [(AS) is] 
comprises a smart card. 

13. (Once Amended) A method [according to any of the preceding claims, 
characterized in that] according to claim 20. wherein the memory [(M) is] 
comprises a rewritable memory. 

14. (Once Amended) A method [according to any of the preceding claims, 
characterized in that] according to claim 20. wherein a second unit [(EI)] comprises 
several application keys [(TA)]. 

15. (Once Amended) A method [according to any of the preceding claims, 
characterized in that] according to claim 20. wherein the first unit [(AS)] comprises 
several application keys [(TA)]. 

16. (Once Amended) A method [according to any of the preceding claims, 
characterized in that it further comprises an additional step of] according to 
claim 20. further comprising : 

[-] after encrypting the application key [(TA)], erasing the operation key [(Tl)] 
temporarily saved within the second volatile memory of the first unit [(AS)]. 

17. (Once Amended) A method [according to any of the preceding claims, 
characterized in that it further comprises an additional step of] according to 
claim 20. further comprising : 

[-] after decrypting the application key [(TA)], erasing the operation key [(Tl)] 
temporarily saved within a second volatile memory [(M2)] in the first unit [(EI)]. 
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18. (Once Amended) A method [according to preceding claims 2 to 4, characterized in 
that it further comprises an additional step of] according to claim 2, further 
comprising : 

[-] sending the random information, information [(REF1)] pertaining to an 
application key [(TA)] and information [(SN)] specific to the second unit [(EI)] to the 
first unit [(AS)] by means of a first single command [(EXPORTKEY)]. 

19. (Once Amended) A method [according to preceding claims 1 and 2, characterized in 
that it further comprises the additional steps of] according to claim 20. further 
comprising : 

[-] sending the encrypted application key [(TA)] and the information [(REF2)] 
pertaining to an application key [(TA)] to the second unit [(EI)] by means of a single 
second command [(IMPORTKEY)]. 



8 



RWdPGr/PTO 1 3 AUG 2001 







r p i? i Ttrir^ \ tf nu matt Tivr 1 rv ftpst ci ass lYtATl, H7 CfkH «» 

Applicant(s): Dan BUTNARU et al. 


159 5 2 ticket No. 

09669/004001 


Serial No. 
09/889,524 


Filing Date 
July 18, 2001 


Examiner 


Group Art Unit 


Invention: 

METHOD FOR SECURE DOWNLOADING DATA BETWEEN SECURITY UNITS 



I hereby certify that this Preliminary Amendment 



(Identify type of correspondence) 

is being deposited with the United States Postal Service as first class mail in an envelope addressed to: The 



Assistant Commissioner for Patents, Washington, D.C. 20231 on 



August 8, 2001 



(Date) 




Note: Each paper must have its own certificate of mailing. 



P07A/REV03 




09/889524 



76-0546 



- 1 - 



J018Rec'dPC77PTO \ SM 2001 



10 



15 



20 



25 



30 



METHOD FOR SECURE DOWNLOADING OF DATA BETWEEN SECURITY 

UNITS 



The present invention relates to a method for 
customizing a set of several second security units, 
comprising secure downloading of an application key from 
a first security unit to said second security units in 
said set, wherein said first unit and said second units 
each comprise at least one memory. 

In particular, this invention can advantageously be 
applied during a phase when second security units are 
customized in such fields as customer fidelity and 
banking . 

Such a customization method is carried out before 
said second units are put into use. For example, when 
they are used in the field of customer fidelity, the 
second units are found in gas station terminals and are 
used so as to provide security services in debit -credit 
transactions of fidelity points between one of said 
terminals and user credit cards. In the banking field, 
the second units are found in banking terminals and 
provide secure services for money transactions in user 
credit cards. 

A well-known state of the art which is disclosed in 
the published US patent No 5 517 667 under the name of 
DAQ Electronics, teaches that there exists a key 
encryption system exists for making secure 
communications that can be established between a second 
security unit or "master unit" and a third user unit or 
"remote unit", when the latter is installed in a remote 
location, such as a portable telephone. This security 
system is based on the use of a temporary communication 
key. According to this system, after the user unit has 
been installed at its remote location, a communication 
key is generated by means of the second unit. 
Accordingly, for establishing each communication from 
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the second unit to the user unit, the encrypted 
communication key is sent. The communication key enables 
exchange of secure messages between the second and user 
units, as it is only known by these two units. More 
5 specifically, the key is based on a pair of secret 
numbers which are unique to each user unit, and the 
second unit includes all pairs corresponding to all user 
units. This system is even more secure as a pair of two 
secret numbers is written within the user unit ' s memory, 

10 which is volatile. Thus, when a communication is 
completed and when the user unit is no longer supplied 
with power, this pair is erased and there is no risk of 
unauthorized discovery of both secret numbers. In order 
to establish another communication, the system generates 

15 another communication key. 

The above-mentioned document describes a system 
which is put into operation when using a second unit and 
a user unit with an aim to establish a secure 
communication between both units by using the same 

2 0 communication key, which is dedicated to communications. 
It provides no description whatsoever of a customization 
system for secure key downloading in a set of several 
second security units. 

Therefore, a technical problem to be solved by an 

2 5 object of the present invention is to provide a method 

for customizing a set of several second security units 
comprising secure downloading of an application key from 
a first security unit to said second security units in 
said set, wherein said first unit and second units each 

3 0 comprise at least one memory, so as to prevent, on the 

one hand, unauthorized discovery of said application 
key, and on the other hand, to speed up the 
customization phase of said second security units. 

A solution to the technical problem posed is 
35 characterized in that said customization method 
comprises the steps of : 

for each second unit in said set, 
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- on each downloading, computing, in the first 
unit, an operation key based on a piece of information 
specific to the second unit, a transport key, and a 
diversification algorithm, said transport key residing 

5 in the memory of the first security unit, said memory 
being non-volatile, 

- encrypting the application key in the first unit, 
based on information comprising said operation key and 
an encryption algorithm, said application key residing 

10 in said memory, 

- sending data comprising the encrypted application 
key to the second unit, 

- on each downloading, computing, in the second 
unit, the operation key based on the piece of 

15 information specific to the second unit, the transport 
key and the diversification algorithm, wherein the same 
transport key resides in the non-volatile memory of each 
second security unit in said set, said operation key not 
being stored in the memory of said second unit, 

2 0 - decrypting the"- encrypted application key in the 

second unit based on information comprising said 
operation key and a decryption algorithm which is the 
inverse of the encryption algorithm. 

Therefore, as will be seen in detail below, the 

2 5 downloading method of the present invention enables, by 

computing said operation key and only preserving it for 
the period when the application key is being encrypted 
or decrypted, to improve downloading security of an 
application key. Therefore, a defrauder will neither be 

3 0 able to access said operation key nor, as a consequence, 

the application key. Possible tampering is therefore 
prevented and time-consuming operations for the 
customization phase are no longer carried out, since the 
computation time of the operation key is negligible with 
35 respect to the access time required for storing said 
key . 

The present invention will be understood more fully 
from the description given herebelow and from the 
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accompanying drawings which should not be taken to be 
limiting the invention. 

Figure 1 is a view showing a first unit and several 
second units belonging to the same set. 
5 Figure 2 is a view showing a first unit and a 

second unit of Figure 1. 

Figure 3 is a view showing a data interchange 
between the first unit and the second unit of Figure 2. 

Figure 4 is a view showing a second interchange of 
10 data between the first unit and the second unit of 
Figure 2 . 

Figure 5 is a view showing a first interchange of 
data between the first unit and the second unit of 
Figure 2 . 

15 Figure 6 is a view showing a first interchange of 

data between the first unit and the second unit of 
Figure 2 . 

Figure 1 shows a first security unit AS and several 
security units EI belonging to the same set S (not 

2 0 shown) , each of the units (AS, EI) comprising at least 
one non-volatile memory M. The first unit AS as well as 
the second units EI of said set S have the same 
transport key T and the same algorithm ALGOl, referred 
to as a diversification algorithm, which reside in 

2 5 memory M. Figure 2 shows unit AS as well as one unit EI 
from the set S. Each second unit EI of set S has the 
same transport key T. Thus, a set of second units EI is 
differentiated from another set by means of transport 
key T. For example, two sets of second units EI 

30 correspond to two different gas station providers. 

Moreover, the first unit AS has an application key 
TA and an encryption algorithm ALG02 . It should be noted 
that both algorithms ALGOl and ALG02 may use the same 
basic algorithm. Each unit EI of said set S comprises 

35 specific information SN and at least one user 
application (not shown) such as an application providing 
security services for fidelity point debit -credit 
transactions . 



In order to use security units EI of said set S, 
each second unit EI of said set S must first download an 
application key TA from the first unit AS, during a so- 
called customization phase comprising the steps 
described below. This key is transferred by means of a 
standard communications network. A defrauder who would 
spy on said network or said units is prevented from 
accessing keys in the units as described below. 

In a first step, on each downloading, a computation 
is made in the first unit AS of an operation key Tl 
based on the information SN specific to second unit EI, 
transport key T and diversification algorithm ALG01, 
said transport key T residing in memory M of first 
security unit AS, which memory is non-volatile. 
Preferably, memory M is a rewritable memory. It should 
be noted that transport key T remains valid even during 
the phases when the second unit EI is being used, as 
long as it is not replaced. 

Information SN specific to second unit EI does not 
reside in the first unit. Therefore, as shown in Figure 
3, information SN specific to second unit EI is sent to 
first unit AS before operation key Tl is computed in 
first unit AS. First unit AS preferably contains several 
application keys TA. Said key Tl will serve for 
downloading one of the application key TA contained in 
first unit AS, and the selected application key will be 
encrypted and sent to unit EI. One application key is 
associated with one user application. The appropriate 
key is chosen according to the application residing in 
second unit EI . 

As shown in Figure 3, for selecting one of said 
application keys TA, in a second step, a piece of 
information REF1 relative to application key TA is sent 
to first unit AS before encrypting application key TA in 
said unit AS, and the application key TA to be encrypted 
is chosen based on said information REF1. For example, a 
reference representing a key number of three can be sent 
by second unit EI to indicate that the third key, which 
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corresponds to an application in said unit EI, has been 
chosen. It is the latter that will be downloaded into 
second unit EI. If there is no application key TA 
referred to by said number REF1, the first unit AS 
5 indicates that the key does not exist. 

In a third step, as shown in Figure 3, application 
key TA is encrypted in first unit AS from information 
comprising said operation key Tl and encryption 
algorithm ALG02 . The operation key temporarily resides 
10 in a second volatile memory (not shown) in first unit 
AS . 

In order to protect first unit AS against possible 
tampering, after application key Ta has been encrypted, 
the operation key Tl that was temporarily saved within 

15 the second volatile memory of first unit AS is erased. 

After said key TA has been encrypted, data "DATA" 
comprising the encrypted application key TA is sent to 
the second unit TA. 

In a fourth step, encrypted application key TA is 

20 decrypted in second unit EI based on information 
including operation key Tl and a decryption algorithm 
ALG02P which is the inverse of encryption algorithm 
ALG02 . In this step, in order to find out the chosen 
application key TA, it is necessary to use the same 

25 operation key Tl as used for encrypting said application 
key TA in the first security unit AS. For that purpose, 
before decrypting said encrypted application key TA, on 
each download, a computation is made in second unit El 
of operation key Tl based on information SN specific to 

30 second unit EI, transport key T and diversification 
algorithm ALG01, said same transport key T residing in 
non-volatile memory M of each second security unit EI of 
said set S, said operation key Tl not being stored 
within memory M of a second unit EI . Preferably, the 

35 memory M of the second unit is rewritable. The operation 
key Tl is temporarily saved within a second volatile 
memory (not shown) in second unit EI . 
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It should be noted that this computation can be 
done at any time before application key TA is encrypted. 
The data items required for computing operation key Tl 
in second security unit EI are the same as those used 
5 for computing operation key Tl in first unit AS. 
Therefore, both keys Tl are identical and the chosen 
application key TA is indeed found in second unit EI. It 
was not necessary to send the operation key Tl over the 
communication network. 

10 In a fifth step, after application key TA has been 

decrypted and preferably just before this decryption, 
the temporarily saved operation key Tl is erased from 
said second volatile memory in second unit EI. 

The fact of, on the one hand, not sending any 

15 operation key Tl over the communication network and on 
the other hand, not storing any operation key Tl within 
a non-volatile memory M in a second module EI and 
finally, the fact that said operation key only resides 
in the second unit only for the time required for 

2 0 decrypting application key TA, makes tampering more 

difficult to carry out inasmuch as, if a defrauder 
wishes to find an application key TA, he or she should 
first find the operation key Tl in use. Finally, this 
facilitates customization and setting up an n-th second 
25 unit EI since, for customizing second units, it is no 
longer required to carry out two downloads, first one 
for downloading an operation key TA and second, for 
downloading an application key TA, but downloading only 
an application key TA is sufficient. Thus, one gets rid 

3 0 of the first downloading operation which is usually 

carried out by an entity different from first unit AS, 
which generally complicates things correspondingly. 

Just as the first unit AS, a unit EI will 
preferably comprise several application keys TA. Thus, 
35 by means of a second unit EI, several applications can 
be handled. Moreover, this improves the security of said 
units since, on the one hand, it will be more difficult 
for a defrauder to uncover an application key from among 
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others, and on the other hand, to know to what 
application it is dedicated to. In the previous example 
relating to the field of customer fidelity, when using a 
second unit EI, the latter should be able to provide 
5 various services such as securing debit -credit 
transactions of fidelity points, for example, for 
different fuel types. Thus, it is important to have 
different application key TA in unit EI for managing the 
security of said different transaction types, which 

10 represent different applications. 

Therefore, in a sixth step, a piece of information 
REF2 pertaining to an application key TA is sent to 
second unit EI before said encrypted application key TA 
is decrypted in unit EI, as shown in Figure 4. 

15 Information REF2 enables to either choose application 
key TA, which will be assigned the value of the 
application key originating from the first unit AS, or 
indicate a location where said key TA provided by said 
first unit AS will be loaded. Therefore, it is possible 

2 0 to either modify a value of a key TA already residing in 

said second unit EI, or to download a new application 
key TA into a second unit EI for a new user application. 

In case application key TA referred to by said 
information REF2 does not exist or said location does 
25 not exist or is not designed for accepting a key, second 
unit EI rejects the received key and indicates that an 
error has occurred. It should be noted that the REF1 and 
REF2 information sent to the first and second security 
units, respectively, can be equivalent. 

3 0 Later on, when used, one of the application keys TA 

residing in second unit EI can be used by said unit for 
identifying itself with respect to external entities 
such as a user card. However, said identification has to 
be unique. Therefore, key TA should not have any 
35 duplicate. Thus, when it is desired to download this 
key, the chosen application key TA is diversified within 
unit AS, before said key is encrypted. Diversification 
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is done as a function of information specific to each 
second unit. 

Finally, in a last step, after said encrypted 
application key TA has been decrypted, key TA is stored 
5 into second unit EI. Storing application key TA in said 
second unit EI is done based on information REF2 
pertaining to an application key TA. The key is stored 
in rewritable non-volatile memory M. 

Second unit EI can now be used and placed at a 

10 remote user location such as a gas station terminal. It 
should be noted that no operation key Tl has been 
transferred from first unit AS to second unit EI and 
loaded into memory M of the security modules. The 
operations required for both of these actions are not 

15 performed, which reduces the time needed for 
customization. Thus, no secret key immediately usable by 
an algorithm is stored, which prevents unauthorized 
analysis of said algorithm for uncovering said data. 
Consequently, it is useless for a defrauder to either 

2 0 spy on the communication network or the security modules 
in order to find out the operation key Tl used. 

Another advantage of the object of the present 
invention lies in the fact that information SN specific 
to each second security unit EI is unique. Operation key 

2 5 Tl, which has been diversified, i.e. computed based on 

said information, is therefore unique to each security 
unit EI. Therefore, encrypted application key TA, which 
is a function of said operation key Tl, is only intended 
for a single second destination unit EI, which enhances 
30 the security feature of this invention. If a second unit 
EI does not have the same information SN as the one used 
for computing operation key Tl in first unit AS and if 
it therefore receives an application key TA which is not 
intended for it, it rejects this key and indicates that 

3 5 an error has occurred. 

Other security features described below are within 
the scope of the present invention. 
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The object of the present invention provides an 
additional step, shown in Figure 4, according to which a 
random number R obtained from second unit EI is sent to 
first unit AS before application key TA is encrypted 
within first unit AS. Information that are useful, on 
the one hand, to encrypt application key TA in first 
unit AS, and on the other hand, to decrypt encrypted 
application key TA within second unit EI, comprise the 
random number obtained from second unit EI . The use of a 
random number R for encrypting and decrypting said 
application key TA avoids having the same encryption 
value for the same application key TA intended for a 
second unit EI when, for example, said key is loaded 
several times into said unit. Thus, each encryption of 
an application key TA intended for a second unit EI is 
unique. Therefore, a defrauder who spies on the 
communication network and gathers data DATA as it is 
transferred never obtains the same encryption value and 
therefore cannot uncover any secret relating to the 
transferred application key TA. 

However, during such a transfer, the defrauder may 
have carried out unauthorized operations which alter the 
transferred data. Thus, the data DATA, which include the 
encrypted application key TA, are verified for 
integrity. For this purpose, as shown in Figure 5, a 
certificate CAS is computed in first unit AS on said 
data DATA, before said data is sent, said certificate 
thereafter being sent later on to the second unit EI and 
verified within said second unit before encrypted 
application key TA is decrypted in said second unit EI. 
In order to carry out verification, certificate CEI is 
computed in second unit EI based on the received data 
and both certificates CAS and CEI are compared. If a 
fraud or an error has occurred during said transfer, the 
verification of certificate CAS is erroneous, the 
decryption of application key TA is not performed and 
second unit EI indicates that an error has occurred. 
This system therefore guaranties integrity of data DATA 
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when it is transferred from first unit AS to second unit 
EI over the communication network, before using a second 
unit EI, that is before on-site use. Moreover, in case 
the verification is not valid, this avoids having to 
carry out an unnecessary decryption and therefore a 
useless waste of time. 

Just as it is necessary to ensure transferred data 
integrity, authenticity of the data stored into second 
unit EI should also be guaranteed. Application key TA is 
thus verified for authenticity. For that purpose, as 
shown in Figure 5, before application key TA is 
encrypted, a signature SAS of said key TA is computed 
within first unit AS, said signature being subsequently 
sent to second unit EI and verified within said unit. 
Signature verification of said application key TA is 
performed after encrypted key TA is decrypted in the 
second unit EI and before said key within said unit is 
stored. In order to carry out this verification, a 
signature SEI is computed with the decrypted application 
key TA in second unit EI and the two signatures SAS and 
SEI are compared. When both signatures match, decrypted 
application key TA is authenticated and stored. In case 
the application key TA is not authenticated, this key is 
not stored and the second unit EI indicates that an 
error has occurred. The above -described system thus 
makes it possible to verify that the correct chosen 
application key TA has been recovered in the first unit 
AS and not some other key. It should be noted that when 
said signature SAS exists, certificate CAS is also 
computed as a function of said signature SAS. This 
signature is part of the data DATA sent during the third 
step described above . 

Sending data such as a certificate or a signature 
to a security unit relies on operations whose execution 
time adds up to that of the customization phase. Thus, 
in order to reduce the number of access operations to 
the different units and thus, to reduce the 
customization time, the data set required by a security 
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unit is sent once by means of a single command. Random 
number R, number REF1 relating to an application key TA 
and number SN specific to second unit EI, are sent to 
first unit AS by means of a first single command 
5 EXPORTKEY. In the same way, encrypted application key 
TA, number REF2 relating to an application key TA, 
signature SAS, as well as certificate CAS, when they 
exist, are sent to second unit EI by means of a second 
single command IMPORTKEY. 

10 The present invention is more particularly 

applicable in the case when first security unit AS is a 
smart card. The smart card comprises a plastic card body 
into which an electronic unit is embedded, which 
comprises an integrated circuit chip. This chip usually 

15 comprises two memories M and a third volatile memory 
(RAM) , wherein first memory M is rewritable (EEPROM) and 
the second memory is not rewritable (ROM) . First memory 
M comprises all application keys TA and transport key T. 
The third memory stores operation key Tl . The latter 

2 0 only resides in said memory only during encryption or 

decryption of the application key in a security module. 
The diversification and encryption algorithms ALGOl and 
ALG02 may reside in the first or second memory M. 
However, it should be noted that it is not a 
25 prerequisite that these algorithms do not have to reside 
in the smart card. They can be stored in an entity 
external to said smart card, for example in a central 
processing unit of a terminal to which said smart card 
would be connected. 

3 0 By means of the smart card, it is possible to 

ensure a better protection of application key TA. In a 
smart card, contrary to a computer terminal, for 
example, the keys are unknown to any entity (a terminal, 
a card administrator, another smart card, etc.) except 
35 for the entity issuing said keys. In addition, tampering 
is more difficult to perform on a smart card than the 
central processing unit of a terminal, for example. For 
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the same reasons, the second security unit is a smart 
card . 

It should be noted that an application key TA, as 
it is stored in a non-volatile memory M, can be used on 
several occasions where a second unit EI is used, 
because even when the latter is no longer powered, the 
key is not erased. 



CLAIMS 

1. A method for customizing a set (S) of 
several second security units (EI) , comprising secure 
downloading of an application key (TA) from a first 
security unit (AS) of a central processing unit to said 
set of second security units (EI) , said first unit and 
second units each comprising at least one memory (M) , 
characterized in that it comprises the steps of: 

for each second unit (EI) in said set (S) , 

- on each downloading, computing an operation 
key (Tl) in the first unit (AS) based on information 
specific to the second unit (EI) , a transport key (T) , 
and a diversification algorithm (ALGOl) , said transport 
key (T) residing within the memory (M) of the first 
security unit (AS) , said memory (M) being non-volatile, 

- encrypting the application key (TA) in the 
first unit (AS) based on information comprising said 
operation key (Tl) and an encryption algorithm (ALG02) , 
said application key (TA) residing in said memory (M) , 

sending data (DATA) comprising the 
encrypted application key (TA) to the second unit (EI) , 

- on each downloading, computing an operation 
key (Tl) in the second unit (EI) based on information 
specific to the second unit (EI) , the transport key (T) 
and the diversification algorithm (ALGOl) , the same 
transport key (T) residing in the non-volatile memory 
(M) of each second security unit (EI) of said set (S) , 
said operation key (Tl) not being stored within the 
memory (M) of said second unit, 

- decrypting the encrypted application key 
(TA) in the second unit (EI) based on information 
comprising said operation key (Tl) and a decryption 
algorithm (ALG02P) which is the inverse of the 
encryption algorithm (ALG02) . 

2. A method according to claim 1, 
characterized in that it further comprises an additional 
step of : 
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- sending information specific to the second 
unit (EI) to the first unit (AS) before computing the 
application key (Tl) in the first unit (AS) . 

5 3 . A method according to claims 1 or 2 , 

characterized in that it further comprises an additional 
step of : 

- sending a random number provided by the 
second unit (EI) to the first unit (AS) , before 

10 encrypting the application key (TA) in the first unit 
(AS) . 

4 . A method according to any of the preceding 
claims, characterized in that it further comprises an 

15 additional step of: 

sending information pertaining to an 
application key (TA) to the first unit (AS) , before 
encrypting the application key (TA) within said unit 
(AS) . 

20 

5. A method according to claim 4, 
characterized in that it further comprises an additional 
step of: 

- choosing the application key (TA) to be 

2 5 encrypted based on said information. 

6 . A method according to any of the preceding 
claims, characterized in that said encryption of an 
application key (TA) intended for a second unit (EI) is 

3 0 unique. 

7 . A method according to any of the preceding 
claims, characterized in that it further comprises an 
additional step of: 

35 - verifying integrity of the data (DATA) 

include the encrypted application key (TA) . 
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8 . A method according to any of the preceding 
claims, characterized in that it further comprises an 
additional step of: 

sending information pertaining to an 
5 application key (TA) to the second unit (EI) , before 
decrypting the encrypted application key (TA) within 
said unit (EI) of said set (S) . 

9. A method according to any of the preceding 
10 claims, characterized in that it further comprises an 

additional step of : 

- storing within the second unit (EI) , after 
decrypting the encrypted application key (TA) , said key 
(TA) within said unit (EI) . 

15 

10. A method according to claim 9, 
characterized in that storing of the application key 
(TA) within the second unit (EI) is done based on 
information pertaining to an application key (TA) . 

20 

11 . A method according to any of the 
preceding claims, characterized in that it further 
comprises an additional step of: 

- verifying that the application key (TA) is 

25 authentic. 

12 . A method according to any of the 
preceding claims, characterized in that the first 
security unit (AS) is a smart card. 

30 

13 . A method according to any of the 
preceding claims , characterized in that the memory (M) 
is a rewritable memory. 



35 



14 . A method according to any of the 
preceding claims, characterized in that a second unit 
(EI) comprises several application keys (TA) . 
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15. A method according to any of the 
preceding claims, characterized in that the first unit 
(AS) comprises several application keys (TA) . 

16. A method according to any of the 
preceding claims, characterized in that it further 
comprises an additional step of: 

- after encrypting the application key (TA) , 
erasing the operation key (Tl) temporarily saved within 
the second volatile memory of the first unit (AS) . 

17. A method according to any of the 
preceding claims, characterized in that it further 
comprises an additional step of : 

- after decrypting the application key (TA) , 
erasing the operation key (Tl) temporarily saved within 
a second volatile memory (M2) in the first unit (EI) . 

18. A method according to preceding claims 2 
to 4, characterized in that it further comprises an 
additional step of: 

- sending the random information, information 
(REF1) pertaining to an application key (TA) and 
information (SN) specific to the second unit (EI) to the 
first unit (AS) by means of a first single command 
(EXPORTKEY) . 

19. A method according to preceding claims 1 
and 2, characterized in that it further comprises the 
additional steps of: 

- sending the encrypted application key (TA) 
and the information (REF2) pertaining to an application 
key (TA) to the second unit (EI) by means of a single 
second command (IMPORTKEY) . 
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| | Assignee of record of the entire interest. See 37 CFR 3.71 . 

Statement under 37 CFR 3.73(b) is enclosed. (Form PTOISBI96). 
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(Wo of the Invention) 
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I hereby claim foreign priority benefits under 35 U.S.C, 1 19(a)-(d) or (f), or 365(b) of any foreign application^) for patent, inventor's 
or plant breeder's rights certificate^), or 365(3) Or any PCT international appiitiKllun which designated (it leant onn oountry other 
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